Product : Engenio/LSI Logic storage controllers, including:
 - Storagetek D280 (verified),
 - IBM FastT 100 (verified),
 - Probably all other Storagetek and IBM FastT storage controllers since the
software part is almost identical,
 - Maybe some SGI and Teradata storage controllers (unverified),
 - Some Brocade fiber-channel switches (according to Storagetek),
 - Maybe other devices with the VxWorks embedded operating system
(unverified).
Vuln.   : Remotely exploitable denial of service / data corruption
Date    : 09/04/2004
Author  : Frank Denis <j@pureftpd.org>


   ------------------------[ Product description ]------------------------

  Engenio (formerly LSI Logic) builds high-performance SATA and Fiber Channel
OEM storage systems for data-intensive environment.

  This hardware is sold with different covers by IBM (FastT series),
Storagetek (D series), SGI and Teradata.

  Engenio's web site is http://www.engenio.com/
  Storagetek disk storage:
http://www.storagetek.com/products/disk_storage.html
  IBM FastT systems: http://www.storage.ibm.com/disk/fastt/  


      ------------------------[ Vulnerability ]------------------------

  Storagetek and IBM FastT controllers can be frozen with a few specially
crafted TCP packets. The IP stack becomes unresponsive and administration
through Santricity/IBM Storage Manager becomes impossible.

  Under some circumstances, unrecoverable corruption of the stored data will
happen.
  
  This attack doesn't require any authentication and there is no trace in
any log file.

  The controllers are vulnerable even at installation-time.


   ------------------------[ Details ]------------------------
   
  With the hope that vendors will finally fix their products, details won't
be disclosed in this advisory.


       ------------------------[ Workaround ]------------------------
   
  The controllers should always be placed on a dedicated subnet in order to
be only reachable from administration hosts.

  (does is sound obvious? Well... how many SQL Server hosts were compromised
a few months back?)


       ------------------------[ Vendors status ]--------------------
       
  After successful data corruption of a D280 storage system, Storagetek was
informed on Jun 14. They said they will publish details and release a patch
the week after. They didn't.

  In order to give a chance to all vendors to get a fix, I sent details and
a working exploit to the Engenio/LSI Logic support <support@lsil.com> on
Jun 21. Their tech support is awesome. [about the attached C source code]:
"What format is this image in? I cannot open it. Can you please send it in
another format?". The ticket was then closed "it's a Storagetek issue".

  On Jun 25, the global technical services manager reopened the ticket,
asking some tech people whether that issue was being looked at. Nothing
happened since. I also sent them a fix for a bug in Santricity but there
was no answer either.

  Later, Storagetek came back to me. They confirmed the vulnerability and
they were able to reproduce it on their Brocade fiber-channel switches as
well. They said the bug was actually in the embedded operating system,
VxWorks.

  It's why I wrote to the Brocade support <support@brocade.com> on Jul 6,
with details and the exploit. It was assigned case number RQST00000030729
but I didn't get anything except a generic message asking for a serial
number in order to verify the service entitlement. The email address of my
support contact <mzhang@brocade.com> doesn't even work any more.

  I wrote to Windriver with the same result: "please provide your license
number". This is frustrating. I'm not asking for support, I'm not even a
direct customer, I just want to _help_, but no, this is impossible, you have
to pay to help.

  On Jun 30, I wrote to SGI just in case their hardware would also be
vulnerable. Teradata web site is a total mess and I wasn't able to find
anything related to their storage systems. The online form for security
alert on the SGI web site sent a mail to <security-alert@csd.sgi.com> but
the mail bounced from internal-mail-relay.corp.sgi.com with an internal error
the week after: "451 relay.engt.sgi.com: Name server timeout".

  IBM was contacted the same day, with details and the exploit. The AIX
security contact is a very nice guy but it looks like he can't find anyone
at IBM that could listen to Totalstorage-related security issues.

  The company I'm working for just bought a newly manufactured IBM FastT
100. It could be crashed the same way as the Storagetek D280 controller, so
almost all Engenio-based storage systems probably still share the same
security issue.

  Multiple emails were sent later to those vendors with the hope of having
some news about that issue, but it was a waste of time. At this point I
guess there is nothing else that can be done.

--
 __  /*-    Frank DENIS (Jedi/Sector One) <j at 42-Networks.Com>    -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/